Flaws in Stratos Global AmosConnect 8 PC-based SATCOM service impact thousands of customers worldwide running the newest version of the platform that is used in vessels.

AmosConnect 8 is a PC-based SATCOM service, introduced in 2010, that integrates many communication tools such as email, fax, telex, GSM text and interoffice communication.

According to the researchers from IOActive. Inmarsat, which owns Stratos Global, considered the research as irrelevant because it related to a communication platform that has been discontinued.

“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed.” reads the statement issued by Inmarsat.

The vendor speculated the attack scenario shown by the experts would be difficult to realize.

Experts at IOActive confirmed that the vulnerabilities impact thousands of customers worldwide running the newest version of the AmosConnect platform that is used in vessels.

The vulnerabilities discovered by the researchers include a “blind SQL injection, tracked as CVE-2017-3221, in a login form and a backdoor account (CVE-2017-3222) that gives attackers full system privileges.

The blind SQL injection vulnerability in AmosConnect 8 login form could be exploited by unauthenticated attackers to access login credentials of other users.

“A Blind SQL Injection vulnerability is present in the login form, allowing unauthenticated attackers to gain access to credentials stored in its internal database. The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit.” states the advisory published by IOActive.

The second issue could be exploited by an attacker to execute arbitrary code on the platform server and potentially exposing sensitive data.

“The AmosConnect server features a built-in backdoor account with full system privileges. Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager.” continues IOActive.

IOActive notified the vulnerabilities Inmarsat in October 2016, and completed the disclosure process in July 2017, meantime the Inmarsat has discontinued the AmosConnect 8.0 version of the platform.

Currently, the vendor refuses connections from AmosConnect 8 email clients, so customers cannot use this software.

According to the experts form IOActive, Vessel networks are typically segmented and isolated from each other, typical subnets are:

Navigation systems network.

Industrial Control Systems (ICS) network.

IT systems network.

Bring-Your-Own-Device networks.

SATCOM.

The experts remarked that while the vulnerabilities recently discovered may only be exploited by an attacker with access to the IT systems network, within certain vessel configurations some networks might not be segmented, exposing vulnerable AmosConnect platforms to one or more of these networks.

“A typical scenario would make AmosConnect available to both the BYOD “guest” and IT networks; one can easily see how these vulnerabilities could be exploited by a local attacker to pivot from the guest network to the IT network.” concluded IOActive. “Also, some the vulnerabilities uncovered during our SATCOM research might enable attackers to access these systems via the satellite link.”